From 3267293a468d65a8bae755da77d2a48a9e25663a Mon Sep 17 00:00:00 2001 From: Piotr Marcinkiewicz Date: Fri, 26 Mar 2021 13:06:35 +0100 Subject: [PLATFORM] Generate Cert-Service certs with Cert-Manager Utilize Cert-Manager to secure communication between Cert-Service and its clients, adjust templates and configs. Issue-ID: OOM-2712 Signed-off-by: Piotr Marcinkiewicz Change-Id: I96426b1a184b4d254575e76d29214d9deda08cce Signed-off-by: Remigiusz Janeczek --- .../components/cmpv2-cert-provider/values.yaml | 8 +- .../platform/components/oom-cert-service/Makefile | 183 --------------------- .../components/oom-cert-service/requirements.yaml | 6 + .../oom-cert-service/templates/certificate.yaml | 17 ++ .../oom-cert-service/templates/deployment.yaml | 4 +- .../oom-cert-service/templates/issuer.yaml | 32 ++++ .../oom-cert-service/templates/secret.yaml | 39 +---- .../components/oom-cert-service/values.yaml | 104 +++++++++--- 8 files changed, 143 insertions(+), 250 deletions(-) delete mode 100644 kubernetes/platform/components/oom-cert-service/Makefile create mode 100644 kubernetes/platform/components/oom-cert-service/templates/certificate.yaml create mode 100644 kubernetes/platform/components/oom-cert-service/templates/issuer.yaml (limited to 'kubernetes/platform') diff --git a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml index 0614819930..c34ebad982 100644 --- a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml +++ b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml @@ -73,10 +73,10 @@ cmpv2issuer: certEndpoint: v1/certificate caName: RA certSecretRef: - name: cmpv2-issuer-secret - certRef: certServiceServer-cert.pem - keyRef: certServiceServer-key.pem - cacertRef: truststore.pem + name: oom-cert-service-server-tls-secret + certRef: tls.crt + keyRef: tls.key + cacertRef: ca.crt diff --git a/kubernetes/platform/components/oom-cert-service/Makefile b/kubernetes/platform/components/oom-cert-service/Makefile deleted file mode 100644 index ea0cb8aae4..0000000000 --- a/kubernetes/platform/components/oom-cert-service/Makefile +++ /dev/null @@ -1,183 +0,0 @@ -CERTS_DIR = resources -CURRENT_DIR := ${CURDIR} -DOCKER_CONTAINER = generate-certs -DOCKER_EXEC = docker exec ${DOCKER_CONTAINER} - -all: start_docker \ - clear_all \ - root_generate_keys \ - root_create_certificate \ - root_self_sign_certificate \ - client_generate_keys \ - client_generate_csr \ - client_sign_certificate_by_root \ - client_import_root_certificate \ - client_convert_certificate_to_jks \ - server_generate_keys \ - server_generate_csr \ - server_sign_certificate_by_root \ - server_import_root_certificate \ - server_convert_certificate_to_jks \ - server_convert_certificate_to_p12 \ - convert_truststore_to_p12 \ - convert_truststore_to_pem \ - server_export_certificate_to_pem \ - server_export_key_to_pem \ - clear_unused_files \ - stop_docker - -.PHONY: all - -# Starts docker container for generating certificates - deletes first, if already running -start_docker: - @make stop_docker - $(eval REPOSITORY := $(shell cat ./values.yaml | grep -i "^[ \t]*repository" -m1 | xargs | cut -d ' ' -f2)) - $(eval JAVA_IMAGE := $(shell cat ./values.yaml | grep -i "^[ \t]*certificateGenerationImage" -m1 | xargs | cut -d ' ' -f2)) - $(eval FULL_JAVA_IMAGE := $(REPOSITORY)/$(JAVA_IMAGE)) - $(eval USERNAME :=$(shell id -u)) - $(eval GROUP :=$(shell id -g)) - docker run --rm --name ${DOCKER_CONTAINER} --user "$(USERNAME):$(GROUP)" --mount type=bind,source=${CURRENT_DIR}/${CERTS_DIR},target=/certs -w /certs --entrypoint "sh" -td $(FULL_JAVA_IMAGE) - -# Stops docker container for generating certificates. 'true' is used to return 0 status code, if container is already deleted -stop_docker: - docker rm ${DOCKER_CONTAINER} -f 1>/dev/null || true - -#Clear all files related to certificates -clear_all: - @make clear_existing_certificates - @make clear_unused_files - -#Clear certificates -clear_existing_certificates: - @echo "Clear certificates" - ${DOCKER_EXEC} rm -f certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12 truststore.pem certServiceServer-cert.pem certServiceServer-key.pem - @echo "#####done#####" - -#Generate root private and public keys -root_generate_keys: - @echo "Generate root private and public keys" - ${DOCKER_EXEC} keytool -genkeypair -v -alias root -keyalg RSA -keysize 4096 -validity 3650 -keystore root-keystore.jks \ - -dname "CN=root.com, OU=Root Org, O=Root Company, L=Wroclaw, ST=Dolny Slask, C=PL" -keypass secret \ - -storepass secret -ext BasicConstraints:critical="ca:true" - @echo "#####done#####" - -#Export public key as certificate -root_create_certificate: - @echo "(Export public key as certificate)" - ${DOCKER_EXEC} keytool -exportcert -alias root -keystore root-keystore.jks -storepass secret -file root.crt -rfc - @echo "#####done#####" - -#Self-signed root (import root certificate into truststore) -root_self_sign_certificate: - @echo "(Self-signed root (import root certificate into truststore))" - ${DOCKER_EXEC} keytool -importcert -alias root -keystore truststore.jks -file root.crt -storepass secret -noprompt - @echo "#####done#####" - -#Generate certService's client private and public keys -client_generate_keys: - @echo "Generate certService's client private and public keys" - ${DOCKER_EXEC} keytool -genkeypair -v -alias certServiceClient -keyalg RSA -keysize 2048 -validity 365 \ - -keystore certServiceClient-keystore.jks -storetype JKS \ - -dname "CN=certServiceClient.com,OU=certServiceClient company,O=certServiceClient org,L=Wroclaw,ST=Dolny Slask,C=PL" \ - -keypass secret -storepass secret - @echo "####done####" - -#Generate certificate signing request for certService's client -client_generate_csr: - @echo "Generate certificate signing request for certService's client" - ${DOCKER_EXEC} keytool -certreq -keystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -file certServiceClient.csr - @echo "####done####" - -#Sign certService's client certificate by root CA -client_sign_certificate_by_root: - @echo "Sign certService's client certificate by root CA" - ${DOCKER_EXEC} keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceClient.csr \ - -outfile certServiceClientByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" - @echo "####done####" - -#Import root certificate into client -client_import_root_certificate: - @echo "Import root certificate into intermediate" - ${DOCKER_EXEC} sh -c "cat root.crt >> certServiceClientByRoot.crt" - @echo "####done####" - -#Import signed certificate into certService's client -client_convert_certificate_to_jks: - @echo "Import signed certificate into certService's client" - ${DOCKER_EXEC} keytool -importcert -file certServiceClientByRoot.crt -destkeystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -noprompt - @echo "####done####" - -#Generate certService private and public keys -server_generate_keys: - @echo "Generate certService private and public keys" - ${DOCKER_EXEC} keytool -genkeypair -v -alias oom-cert-service -keyalg RSA -keysize 2048 -validity 365 \ - -keystore certServiceServer-keystore.jks -storetype JKS \ - -dname "CN=oom-cert-service,OU=certServiceServer company,O=certServiceServer org,L=Wroclaw,ST=Dolny Slask,C=PL" \ - -keypass secret -storepass secret -ext BasicConstraints:critical="ca:false" - @echo "####done####" - -#Generate certificate signing request for certService -server_generate_csr: - @echo "Generate certificate signing request for certService" - ${DOCKER_EXEC} keytool -certreq -keystore certServiceServer-keystore.jks -alias oom-cert-service -storepass secret -file certServiceServer.csr - @echo "####done####" - -#Sign certService certificate by root CA -server_sign_certificate_by_root: - @echo "Sign certService certificate by root CA" - ${DOCKER_EXEC} keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceServer.csr \ - -outfile certServiceServerByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" \ - -ext SubjectAlternativeName:="DNS:oom-cert-service,DNS:localhost" - @echo "####done####" - -#Import root certificate into server -server_import_root_certificate: - @echo "Import root certificate into intermediate(server)" - ${DOCKER_EXEC} sh -c "cat root.crt >> certServiceServerByRoot.crt" - @echo "####done####" - -#Import signed certificate into certService -server_convert_certificate_to_jks: - @echo "Import signed certificate into certService" - ${DOCKER_EXEC} keytool -importcert -file certServiceServerByRoot.crt -destkeystore certServiceServer-keystore.jks -alias oom-cert-service \ - -storepass secret -noprompt - @echo "####done####" - -#Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12) -server_convert_certificate_to_p12: - @echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)" - ${DOCKER_EXEC} keytool -importkeystore -srckeystore certServiceServer-keystore.jks -srcstorepass secret \ - -destkeystore certServiceServer-keystore.p12 -deststoretype PKCS12 -deststorepass secret - @echo "#####done#####" - -#Convert truststore(.jks) to PCKS12 format(.p12) -convert_truststore_to_p12: - @echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)" - ${DOCKER_EXEC} keytool -importkeystore -srckeystore truststore.jks -srcstorepass secret \ - -destkeystore truststore.p12 -deststoretype PKCS12 -deststorepass secret - @echo "#####done#####" - -#Convert truststore(.p12) to PEM format(.pem) -convert_truststore_to_pem: - @echo "Convert certServiceServer-keystore(.p12) to PEM format(.pem)" - ${DOCKER_EXEC} openssl pkcs12 -nodes -in truststore.p12 -out truststore.pem -passin pass:secret - @echo "#####done#####" - -#Export certificates from certServiceServer-keystore(.p12) to PEM format(.pem) -server_export_certificate_to_pem: - @echo "Export certificates from certServiceClient-keystore(.p12) to PEM format(.pem)" - ${DOCKER_EXEC} openssl pkcs12 -in certServiceServer-keystore.p12 -passin 'pass:secret' -nodes -nokeys -out certServiceServer-cert.pem - @echo "#####done#####" - -#Export keys from certServiceServer-keystore(.p12) to PEM format(.pem) -server_export_key_to_pem: - @echo "Export keys from certServiceClient-keystore(.p12) to PEM format(.pem)" - ${DOCKER_EXEC} openssl pkcs12 -in certServiceServer-keystore.p12 -passin 'pass:secret' -nodes -nocerts -out certServiceServer-key.pem - @echo "#####done#####" - - -#Clear unused certificates -clear_unused_files: - @echo "Clear unused certificates" - ${DOCKER_EXEC} rm -f certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt certServiceServer.csr truststore.p12 - @echo "#####done#####" diff --git a/kubernetes/platform/components/oom-cert-service/requirements.yaml b/kubernetes/platform/components/oom-cert-service/requirements.yaml index e89dc58027..6177278552 100644 --- a/kubernetes/platform/components/oom-cert-service/requirements.yaml +++ b/kubernetes/platform/components/oom-cert-service/requirements.yaml @@ -19,3 +19,9 @@ dependencies: - name: repositoryGenerator version: ~8.x-0 repository: '@local' + - name: certManagerCertificate + version: ~8.x-0 + repository: '@local' + - name: cmpv2Config + version: ~8.x-0 + repository: '@local' \ No newline at end of file diff --git a/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml b/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml new file mode 100644 index 0000000000..fd317703e3 --- /dev/null +++ b/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2020-2021 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "certManagerCertificate.certificate" . }} diff --git a/kubernetes/platform/components/oom-cert-service/templates/deployment.yaml b/kubernetes/platform/components/oom-cert-service/templates/deployment.yaml index c4d7440b20..9a6abd4eb9 100644 --- a/kubernetes/platform/components/oom-cert-service/templates/deployment.yaml +++ b/kubernetes/platform/components/oom-cert-service/templates/deployment.yaml @@ -93,9 +93,9 @@ spec: - name: ROOT_CERT value: "{{ .Values.tls.server.volume.mountPath }}/{{ .Values.envs.truststore.crtName }}" - name: KEYSTORE_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 14 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "certificates-password" "key" "password") | indent 14 }} - name: TRUSTSTORE_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 14 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "certificates-password" "key" "password") | indent 14 }} livenessProbe: exec: command: diff --git a/kubernetes/platform/components/oom-cert-service/templates/issuer.yaml b/kubernetes/platform/components/oom-cert-service/templates/issuer.yaml new file mode 100644 index 0000000000..9047ab73d3 --- /dev/null +++ b/kubernetes/platform/components/oom-cert-service/templates/issuer.yaml @@ -0,0 +1,32 @@ +{{/* + # Copyright © 2021, Nokia + # + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. +*/}} + +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ .Values.tls.issuer.selfsigning.name }} + namespace: {{ include "common.namespace" . }} +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ .Values.tls.issuer.ca.name }} + namespace: {{ include "common.namespace" . }} +spec: + ca: + secretName: {{ .Values.tls.issuer.ca.secret.name }} \ No newline at end of file diff --git a/kubernetes/platform/components/oom-cert-service/templates/secret.yaml b/kubernetes/platform/components/oom-cert-service/templates/secret.yaml index 2d47e6f57c..5401801af5 100644 --- a/kubernetes/platform/components/oom-cert-service/templates/secret.yaml +++ b/kubernetes/platform/components/oom-cert-service/templates/secret.yaml @@ -28,42 +28,5 @@ data: {{ (.Files.Glob "resources/default/cmpServers.json").AsSecrets }} {{ end }} --- -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.global.certService.certServiceClient.secret.name | default .Values.tls.client.secret.defaultName }} -type: Opaque -data: - certServiceClient-keystore.jks: - {{ (.Files.Glob "resources/certServiceClient-keystore.jks").AsSecrets }} - truststore.jks: - {{ (.Files.Glob "resources/truststore.jks").AsSecrets }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.tls.server.secret.name }} -type: Opaque -data: - certServiceServer-keystore.jks: - {{ (.Files.Glob "resources/certServiceServer-keystore.jks").AsSecrets }} - certServiceServer-keystore.p12: - {{ (.Files.Glob "resources/certServiceServer-keystore.p12").AsSecrets }} - truststore.jks: - {{ (.Files.Glob "resources/truststore.jks").AsSecrets }} - root.crt: - {{ (.Files.Glob "resources/root.crt").AsSecrets }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.tls.provider.secret.name }} -type: Opaque -data: - certServiceServer-key.pem: - {{ (.Files.Glob "resources/certServiceServer-key.pem").AsSecrets }} - certServiceServer-cert.pem: - {{ (.Files.Glob "resources/certServiceServer-cert.pem").AsSecrets }} - truststore.pem: - {{ (.Files.Glob "resources/truststore.pem").AsSecrets }} + {{ end -}} diff --git a/kubernetes/platform/components/oom-cert-service/values.yaml b/kubernetes/platform/components/oom-cert-service/values.yaml index 537b025fb0..829d3a01d1 100644 --- a/kubernetes/platform/components/oom-cert-service/values.yaml +++ b/kubernetes/platform/components/oom-cert-service/values.yaml @@ -79,38 +79,40 @@ cmpServers: mountPath: /etc/onap/oom/certservice tls: + issuer: + selfsigning: + name: &selfSigningIssuer cmpv2-selfsigning-issuer + ca: + name: &caIssuer cmpv2-ca-issuer + secret: + name: &caKeyPairSecret cmpv2-ca-key-pair server: secret: - name: oom-cert-service-server-tls-secret + name: &serverSecret oom-cert-service-server-tls-secret volume: name: oom-cert-service-server-tls-volume mountPath: /etc/onap/oom/certservice/certs/ client: secret: defaultName: oom-cert-service-client-tls-secret - provider: - secret: - name: cmpv2-issuer-secret envs: keystore: - jksName: certServiceServer-keystore.jks - p12Name: certServiceServer-keystore.p12 - pemName: certServiceServer-keystore.pem + jksName: keystore.jks + p12Name: keystore.p12 + pemName: tls.crt truststore: jksName: truststore.jks - crtName: root.crt - pemName: truststore.pem + crtName: ca.crt + pemName: tls.crt httpsPort: 8443 # External secrets with credentials can be provided to override default credentials defined below, # by uncommenting and filling appropriate *ExternalSecret value credentials: tls: - keystorePassword: secret - truststorePassword: secret - #keystorePasswordExternalSecret: - #truststorePasswordExternalSecret: + certificatesPassword: secret + #certificatesPasswordExternalSecret: # Below cmp values contain credentials for EJBCA test instance and are relevant only if global addTestingComponents flag is enabled cmp: # Used only if cmpv2 testing is enabled @@ -126,17 +128,11 @@ credentials: # rv: unused secrets: - - uid: keystore-password - name: '{{ include "common.release" . }}-keystore-password' - type: password - externalSecret: '{{ tpl (default "" .Values.credentials.tls.keystorePasswordExternalSecret) . }}' - password: '{{ .Values.credentials.tls.keystorePassword }}' - passwordPolicy: required - - uid: truststore-password - name: '{{ include "common.release" . }}-truststore-password' + - uid: certificates-password + name: &certificatesPasswordSecretName '{{ .Values.cmpv2Config.global.platform.certificates.keystorePasswordSecretName }}' type: password - externalSecret: '{{ tpl (default "" .Values.credentials.tls.truststorePasswordExternalSecret) . }}' - password: '{{ .Values.credentials.tls.truststorePassword }}' + externalSecret: '{{ tpl (default "" .Values.credentials.tls.certificatesPasswordExternalSecret) . }}' + password: '{{ .Values.credentials.tls.certificatesPassword }}' passwordPolicy: required # Below values are relevant only if global addTestingComponents flag is enabled - uid: ejbca-server-client-iak @@ -155,3 +151,65 @@ secrets: type: password externalSecret: '{{ tpl (default "" .Values.credentials.cmp.raRvExternalSecret) . }}' password: '{{ .Values.credentials.cmp.ra.rv }}' + +# Certificates definitions +certificates: + - name: selfsigned-cert + secretName: *caKeyPairSecret + isCA: true + commonName: root.com + subject: + organization: Root Company + country: PL + locality: Wroclaw + province: Dolny Slask + organizationalUnit: Root Org + issuer: + name: *selfSigningIssuer + kind: Issuer + - name: cert-service-server-cert + secretName: *serverSecret + commonName: oom-cert-service + dnsNames: + - oom-cert-service + - localhost + subject: + organization: certServiceServer org + country: PL + locality: Wroclaw + province: Dolny Slask + organizationalUnit: certServiceServer company + usages: + - server auth + - client auth + keystore: + outputType: + - jks + - p12 + passwordSecretRef: + name: *certificatesPasswordSecretName + key: password + issuer: + name: *caIssuer + kind: Issuer + - name: cert-service-client-cert + secretName: '{{ .Values.cmpv2Config.global.platform.certificates.clientSecretName | default .Values.tls.client.secret.defaultName }}' + commonName: certServiceClient.com + subject: + organization: certServiceClient org + country: PL + locality: Wroclaw + province: Dolny Slask + organizationalUnit: certServiceClient company + usages: + - server auth + - client auth + keystore: + outputType: + - jks + passwordSecretRef: + name: *certificatesPasswordSecretName + key: password + issuer: + name: *caIssuer + kind: Issuer -- cgit 1.2.3-korg